fix(inputs.x509): Multiple sources with non-overlapping DNS entries. (#11613)

2022-08-05 20:54:23 +02:00 · 2022-08-05 20:54:23 +02:00 · 7bd9c91ebe
parent 091380f4b5
commit 7bd9c91ebe
2 changed files with 31 additions and 12 deletions
--- a/plugins/inputs/x509_cert/x509_cert.go
+++ b/plugins/inputs/x509_cert/x509_cert.go
@ -1,5 +1,6 @@
-//go:generate ../../../tools/readme_config_includer/generator
 // Package x509_cert reports metrics from an SSL certificate.
+//
+//go:generate ../../../tools/readme_config_includer/generator
 package x509_cert

 import (
@ -28,6 +29,7 @@ import (
 )

 // DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
+//
 //go:embed sample.conf
 var sampleConfig string

@ -143,15 +145,14 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 		if err != nil {
 			return nil, err
 		}
-		c.tlsCfg.ServerName = serverName

-		c.tlsCfg.InsecureSkipVerify = true
-		conn := tls.Client(ipConn, c.tlsCfg)
+		downloadTLSCfg := c.tlsCfg.Clone()
+		downloadTLSCfg.ServerName = serverName
+		downloadTLSCfg.InsecureSkipVerify = true
+
+		conn := tls.Client(ipConn, downloadTLSCfg)
 		defer conn.Close()

-		// reset SNI between requests
-		defer func() { c.tlsCfg.ServerName = "" }()
-
 		hsErr := conn.Handshake()
 		if hsErr != nil {
 			return nil, hsErr
@ -196,15 +197,17 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 		if err != nil {
 			return nil, err
 		}
-		c.tlsCfg.ServerName = serverName
-		c.tlsCfg.InsecureSkipVerify = true
+
+		downloadTLSCfg := c.tlsCfg.Clone()
+		downloadTLSCfg.ServerName = serverName
+		downloadTLSCfg.InsecureSkipVerify = true

 		smtpConn, err := smtp.NewClient(ipConn, u.Host)
 		if err != nil {
 			return nil, err
 		}

-		err = smtpConn.Hello(c.tlsCfg.ServerName)
+		err = smtpConn.Hello(downloadTLSCfg.ServerName)
 		if err != nil {
 			return nil, err
 		}
@ -221,7 +224,7 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 			return nil, fmt.Errorf("did not get 220 after STARTTLS: %s", err.Error())
 		}

-		tlsConn := tls.Client(ipConn, c.tlsCfg)
+		tlsConn := tls.Client(ipConn, downloadTLSCfg)
 		defer tlsConn.Close()

 		hsErr := tlsConn.Handshake()
@ -363,6 +366,15 @@ func (c *X509Cert) Gather(acc telegraf.Accumulator) error {
 				tags["verification"] = "valid"
 				fields["verification_code"] = 0
 			} else {
+				c.Log.Debugf("Invalid certificate at index %2d!", i)
+				c.Log.Debugf("  cert DNS names:    %v", cert.DNSNames)
+				c.Log.Debugf("  cert IP addresses: %v", cert.IPAddresses)
+				c.Log.Debugf("  opts.DNSName:      %v", opts.DNSName)
+				c.Log.Debugf("  verify options:    %v", opts)
+				c.Log.Debugf("  verify error:      %v", err)
+				c.Log.Debugf("  location:          %v", location)
+				c.Log.Debugf("  tlsCfg.ServerName: %v", c.tlsCfg.ServerName)
+				c.Log.Debugf("  ServerName:        %v", c.ServerName)
 				tags["verification"] = "invalid"
 				fields["verification_code"] = 1
 				fields["verification_error"] = err.Error()
--- a/plugins/inputs/x509_cert/x509_cert_test.go
+++ b/plugins/inputs/x509_cert/x509_cert_test.go
@ -103,6 +103,7 @@ func TestGatherRemoteIntegration(t *testing.T) {
 			sc := X509Cert{
 				Sources: []string{test.server},
 				Timeout: config.Duration(test.timeout),
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())

@ -165,6 +166,7 @@ func TestGatherLocal(t *testing.T) {

 			sc := X509Cert{
 				Sources: []string{f.Name()},
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())

@ -193,6 +195,7 @@ func TestTags(t *testing.T) {

 	sc := X509Cert{
 		Sources: []string{f.Name()},
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, sc.Init())

@ -242,6 +245,7 @@ func TestGatherExcludeRootCerts(t *testing.T) {
 	sc := X509Cert{
 		Sources:          []string{f.Name()},
 		ExcludeRootCerts: true,
+		Log:              testutil.Logger{},
 	}
 	require.NoError(t, sc.Init())

@ -277,6 +281,7 @@ func TestGatherChain(t *testing.T) {

 			sc := X509Cert{
 				Sources: []string{f.Name()},
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())

@ -365,8 +370,8 @@ func TestGatherCertMustNotTimeoutIntegration(t *testing.T) {
 	duration := time.Duration(15) * time.Second
 	m := &X509Cert{
 		Sources: []string{"https://www.influxdata.com:443"},
-		Log:     testutil.Logger{},
 		Timeout: config.Duration(duration),
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, m.Init())

@ -379,6 +384,7 @@ func TestGatherCertMustNotTimeoutIntegration(t *testing.T) {
 func TestSourcesToURLs(t *testing.T) {
 	m := &X509Cert{
 		Sources: []string{"https://www.influxdata.com:443", "tcp://influxdata.com:443", "smtp://influxdata.com:25", "file:///dummy_test_path_file.pem", "/tmp/dummy_test_path_glob*.pem"},
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, m.Init())

@ -407,6 +413,7 @@ func TestServerName(t *testing.T) {
 			sc := &X509Cert{
 				ServerName:   test.fromCfg,
 				ClientConfig: _tls.ClientConfig{ServerName: test.fromTLS},
+				Log:          testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())
 			u, err := url.Parse(test.url)